District Contracts with Online Vendors Lack Transparency and Security

Dec 16, 2013

CLOUDY WITH A CHANCE OF PITFALLS: Schools are increasingly relying on cloud services, but how secure is the data? A study from Fordham Law School's Center on Law and Information found that many "districts give up control of student information with using cloud services, with fewer than 25% of the agreements specifying the purpose for disclosures of student information." Even more troubling is the fact that "fewer than 7%...restrict[ed] the sale of sale or marketing of student information by vendors," which flies in the face of laws like FERPA that mandate the privacy of student education records. The full report (PDF) analyzes the contracts for seven types of vendor services and also looks at district policies on teachers' computer use and parent notifications.

Pulling data for this study proved harder than pulling teeth. Fifty-four districts--from tiny, rural ones to the NYDOE--were asked to share vendor contracts, computer use policies, and notices sent to parents about student data privacy. Unsurprisingly, many refused. Even when the report authors sent formal open records acts requests, only 20 responded in a timely fashion.

The report concludes with recommendations on how districts can better negotiate with vendors to protect student data and create more transparent policies around privacy. Here's a good start: "The existence and identity of cloud service providers should be available on district websites."

District Contracts with Online Vendors Lack Transparency and Security

Dec 16, 2013

CLOUDY WITH A CHANCE OF PITFALLS: Schools are increasingly relying on cloud services, but how secure is the data? A study from Fordham Law School's Center on Law and Information found that many "districts give up control of student information with using cloud services, with fewer than 25% of the agreements specifying the purpose for disclosures of student information." Even more troubling is the fact that "fewer than 7%...restrict[ed] the sale of sale or marketing of student information by vendors," which flies in the face of laws like FERPA that mandate the privacy of student education records. The full report (PDF) analyzes the contracts for seven types of vendor services and also looks at district policies on teachers' computer use and parent notifications.

Pulling data for this study proved harder than pulling teeth. Fifty-four districts--from tiny, rural ones to the NYDOE--were asked to share vendor contracts, computer use policies, and notices sent to parents about student data privacy. Unsurprisingly, many refused. Even when the report authors sent formal open records acts requests, only 20 responded in a timely fashion.

The report concludes with recommendations on how districts can better negotiate with vendors to protect student data and create more transparent policies around privacy. Here's a good start: "The existence and identity of cloud service providers should be available on district websites."